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ABSTRACT 

Wireless communication enables a broad spectrum of appli- 
cations, ranging from commodity to tactical systems. Neigh- 
bor discovery (ND), that is, determining which devices are 
within direct radio communication, is a building block of 
network protocols and applications, and its vulnerability can 
severely compromise their functionalities. A number of pro- 
posals to secure ND have been published, but none have 
analyzed the problem formally. In this paper, we contribute 
such an analysis: We build a formal model capturing salient 
characteristics of wireless systems, most notably obstacles 
and interference, and we provide a specification of a basic 
variant of the ND problem. Then, we derive an impossibility 
result for a general class of protocols we term "time-based 
protocols," to which many of the schemes in the literature 
belong. We also identify the conditions under which the im- 
possibility result is lifted. Moreover, we explore a second 
class of protocols we term "time- and location-based proto- 
cols," and prove they can secure ND. 

Categories and Subject Descriptors 

C.2.0 [Computer-Communication Networks]: General — 
Security and protection 

General Terms 

Security 

Keywords 

wireless networks security, secure neighbor discovery, relay 
attack 

1. INTRODUCTION 

Wireless networking is a key enabler for mobile communi- 
cation systems, that range from cellular infrastructure-based 
data networks and wireless local area networks (WLANs) 
to disaster-relief, tactical, and sensor networks, and short- 
range wire replacement and radio frequency identification 
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(RFID) technologies. In all such systems, any two wireless 
devices communicate directly when in range, without the as- 
sistance of other devices. The ability to determine if direct, 
one-hop, communication takes place is fundamental. For ex- 
ample, a WLAN access point (AP) assigns a new IP address 
to a mobile station only when it is within the AP's coverage 
area. Or, a mobile node does not initiate a route discovery 
across a mobile ad hoc network (MANET) if a sought des- 
tination is already in its neighbor table. Or, an RFID tag 
will be read only if the signal transmitted by the tag can be 
received directly by the reader. These examples illustrate 
that, depending on whether another system entity, denoted 
as node in the rest of the paper, is a neighbor or not, actions 
are taken (e.g., by the AP or the router) or implications are 
derived (e.g., the RFID tag and reader are physically close). 
In other words, discovering a neighbor, or knowing that a 
node is a neighbor, is a common building block and enabler 
of diverse system functionality. 

Nonetheless, if an attack against neighbor discovery (ND) 
can be perpetrated, such functionality can be abused. For 
example, letting legitimate nodes erroneously believe that 
they are neighbors allows the adversary to fully control com- 
munication across these artificial links. The threat lies in 
that the attacker can deny or derange communication at 
any point; this can happen exactly at the moment a mes- 
sage critical for the system operation is transmitted. In 
multi-hop networks, a "well-chosen" artificial link is likely to 
attract a considerable number of routes, with devastating 
effects: denial of communication across all these routes and 
significant disturbance in the flow of data. In a different sce- 
nario, misleading an RFID tag reader that the tag (and its 
owner) is physically close to the RFID reader, while this is 
not so, can enable the adversary to gain unauthorized access 
to the premises of the tag owner. 

Such attacks against ND are easy to mount, because the 
common solution is to have nodes broadcast their identity, 
so that reception at node A of such a beacon from node B 
suffices for A to add B to its neighbor table. This can be 
abused by an adversary that forges beacons and misleads 
a correct, protocol-abiding, node into believing that it has 
fictitious neighbors. Entity authentication may appear as 
a solution. Authentication does not imply, however, the 
node is a neighbor. It only establishes which node created a 
message but not which sent it across the wireless medium. 
To illustrate this, consider A and B unable to communicate 
directly, and C within range of both A and B. Node C 
receives and repeats B's beacon, for example, digitally signed 
and time-stamped, with no modification. Then, A receives 



the beacon and discovers B as a neighbor, even though this 
is not so. Precisely because A cannot distinguish whether 
the message (beacon) was sent directly by B or it was relayed 
by another node. 

A number of schemes were designed to thwart such re- 
lay attacks, often termed wormholes, and essentially safe- 
guard ND. Distance bounding [5] is the basic approach: the 
distance of two nodes is estimated by measuring the signal 
time of flight from and to those nodes. If the estimate is be- 
low a threshold corresponding to the nodes' communication 
range, the node is accepted as a neighbor. This may provide 
the desired level of security for some applications; e.g., if an 
RFID reader can conclude that a tag is within a range of 
10cm, it is safe to have the building door opened. In other 
words, what this approach provides is discovery of physical 
neighborhood. However, for two nodes to be communication 
neighbors (which we term simply as "neighbors" in the rest 
of the paper), proximity is not sufficient [19]. Obstacles or 
interference can prevent nearby nodes from communicating 
directly. This allows the attacker to abuse a ND mechanism 
oblivious to such obstructions and to mislead two near-by 
nodes into believing they are neighbors while they are not. 
This aspect of ND has been largely overlooked by schemes 
proposed to date. 

In this paper, we address this problem, by answering a 
more fundamental question: To what extent is secure neigh- 
bor discovery possible? We focus on the most generally ap- 
plicable variant of ND, which only requires two nodes to 
establish a neighbor relation; relying on additional nodes 
to assist the ND process can be impractical, especially in 
low-density networks. We prove that for a large class of 
protocols, which includes many of the proposals in the liter- 
ature, it is impossible to achieve secure ND. On the positive 
side, we propose a protocol from a different class and prove 
that it can in fact provide secure neighbor discovery. 

To reach this result, we contribute the first formal in- 
vestigation of secure ND. We provide a model of wireless 
ad hoc networks rich enough to capture the problem at 
hand, and a specification of what we term the two-party ND. 
Then, we analyze the above-mentioned two general classes 
of protocols. We denote the first one time-based protocols 
(T-protocols) , for which nodes exchange messages and are 
able to measure time with perfect accuracy. For this class, 
we show the following impossibility result: No T-protocol 
can solve the (secure) ND problem if adversarial nodes are 
able to relay messages with a delay below a certain thresh- 
old (Section [3]). On the contrary, if the minimum relaying 
delay is above that same threshold, we show it is possible 
to achieve secure ND (Section [4]). Then, in Section [5] we 
consider the second class of protocols we term time- and 
location-based protocols (TL-protocols): nodes are, in addi- 
tion to T-protocol capabilities, aware of their location. We 
show that TL-protocols can secure ND even if adversarial 
nodes can relay messages with almost no delay. 

Existing solutions, discussed in Section [7J were not for- 
mally analyzed. A fraction of those schemes are indeed 
affected by our impossibility result. For the rest, our dis- 
cussion in Section [7] points out other weakness and reflects 
concepts introduced here. Furthermore, in Section [6] we 
discuss in detail the implications of our results, model as- 
sumptions, as well as practical considerations on protocol 
design, before we conclude with future work. 



2. SYSTEM MODEL 

We are interested in modeling a wireless network: its ba- 
sic entities, nodes, are processes running on computational 
platforms equipped with transceivers communicating over a 
wireless channel. We assume that nodes have synchronized 
clocks and are static (not mobile). Nodes either follow the 
implemented system functionality, in which case we denote 
them as correct, or they are under the control of an adver- 
sary, in which case we denote them as adversarial nodes. 

We model communication at the physical layer, rather 
than at higher layers (data link, network, or application), 
in order to capture the inherent characteristics of neighbor 
discovery in wireless networks. For simplicity, correct nodes 
are assumed to use a single wireless channel and omnidirec- 
tional antennas, but we do not require them to have equal 
transmission power and receiver sensitivity. On the other 
hand, adversarial nodes have enhanced capabilities: use di- 
rectional antennas and are able to communicate not only 
across the wireless channel used by correct nodes, but also 
across a dedicated adversary channel imperceptible to cor- 
rect nodes. 

Our system model comprises: (i) a setting S, which de- 
scribes the type (correct or adversarial) of nodes, their loca- 
tion and how the wireless channel state changes over time; 
(ii) a protocol model V , which determines the behavior of 
correct nodes; (iii) an adversary model A, which determines 
the capabilities of adversarial nodes. 

We make the assumption that if we look at the system 
at any point in time, one or more phenomena occur. We 
are interested in phenomena relevant to the wireless com- 
munication and the system at hand and, consequently, to 
our analysis. We denote these phenomena, associated with 
nodes, as events (Definition [2J. Then, we model the system 
evolution over time using the notion of trace, i.e., a set of 
events (Definition [3J. More precisely, we use feasible traces, 
that satisfy constraints specified by S (proper correspon- 
dence between wireless sending and receiving of messages), 
V (correct nodes follows the protocol), and A (adversarial 
nodes behave according to their capabilities). 

The specification of secure neighbor discovery is provided 
exclusively with respect to feasible traces. It consists of two 
properties requiring that (i) if a node concludes that some 
other correct node is a neighbor, then it is indeed a neigh- 
bor (in every feasible trace), and (ii) if two correct nodes 
are neighbors, it should be possible for them to conclude 
they are neighbors (in some setting and feasible trace). We 
call this two-party neighbor discovery, with only two nodes 
participating in an ND protocol run. We discuss later an 
alternative multi-party ND, which relies on the participa- 
tion of additional correct nodes to conclude successfully on 
whether two nodes are neighbors or not. 

2.1 System Parameters 

We list the parameters of our system model. They are 
used by the protocols, and are known to the protocol de- 
signer and to the adversary, both of whom have limited con- 
trol over their values. 

• V, the set of unique node identifiers, which for simplic- 
ity we will consider equivalent with the nodes them- 
selves, 

• v G R>o, the signal propagation speed across the wire- 
less channel, 



• v a( j v ^ v, the information propagation speed over the 
adversary channel, 

• M, the set of messages, 

• |.| : M — * R>o, the message duration function. 

Parameter v defines how fast messages propagate across 
the wireless channel, and once a communication technology 
is selected, this cannot be controlled by the system designer. 
Parameter v a< j v is under the control of the adversary: he 
can choose the technology and thus how fast information 
can propagate between adversarial nodes across the adver- 
sary channel. The message space is system-specific and un- 
der the control of the system designer, whereas the message 
duration function, which determines the transmission delay 
(not including the propagation delay), also depends on the 
technology used and the achievable transmission rates, e.g., 
in bits per second. 

2.2 Settings 

A setting describes the type and location of nodes, and 
how the state of the wireless channel changes over time. 

Definition 1. A setting S is a tuple (V,loc, type, link), 
where: 

• V C V is a finite set of nodes. An ordered pair (A, B) £ 
V 2 is called a link. 

• loc : V — > R 2 is called a location functioi^. As we 
assume nodes are not mobile, this function does not 
depend on time. We define dist : V x V — > Rg;o as 
dist(A,B) = d2(loc(A), loc(B)), where t?2 is the Eu- 
clidean distance in R 2 . We require the loc function 
to be infective, so that no two nodes share the same 
location. Thus, dist(A,B) > for Aj^B. 

• type : V — » {correct, adversarial} is the type func- 
tion; it defines which nodes are correct and which are 
adversarial. This function does not depend on time, 
as we assume that the adversary does not corrupt new 
nodes during the system execution. We denote V CO i — 
type -1 ({correct}) and \4dv = type -1 ({adversarial}). 

• link : V 2 x R^o — ► {up, down} is the link state func- 
tion. Accordingly to this function we say that at a 
given time t 0, a link (A, B) £ V 2 is up (denoted 
tv.A^B) or down (denoted tv. A-»B) . We use ab- 
breviations tv.A^B =def t::A—*B A tv.B-^A and 
tv. A^B = dc f t:\ A-nB A tv.B^A. We extend the 
"t v. A— >B " notation from single time points to sets as 
follows: Tv. A~*B = dc f Vt € T, t v. A-^B. We assume 
the convention R^o :: A-&A. 

We denote the set of all settings by E. 

2.3 Traces 

We use the notion of trace to model an execution of the 
system. A trace is composed of events. We model events re- 
lated to the wireless communication and the detection of a 
neighbor. The former, denoted as Beast, Dcast and Receive, 
models broadcast (or omnidirectional) transmission, direc- 
tional transmission, and reception, respectively. The latter, 

1 All the results of this paper can be immediately transcribed 
to R 3 . The R 2 space is used only for presentation simplicity. 
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Figure 1: Range of the Dcast primitive. 
inrange(A,a, (5, B) is true iff B is located in the 
gray region. 

denoted as Neighbor, means that a node accepts another 
node as a neighbor. Each event is primarily associated with 
(essentially, takes place at) a node we denote as the active 
node. For some events, a secondary association with another 
node can exist. In particular: 

Definition 2. An event is one of the following terms: 

• Bcast(A; t; m) 

• Dcast(A; t; a, f3, m) 

• Receive^; t; B, m) 

• Ne\ghbor(A;t;C,t') 

where: A £ V is the active node, t £ R^o is the start time, 
m £ M is a message, a £ [0, 2-7r) is the sending direction, 
(3 £ (0, 2ir] is the sending angle, B £ V is the sender node, 
C £ V is a declared neighbor, t' £ R^ is the time at which 
C is a neighbor according to A 's declaration. 

For an event e, we write start (e) for its start time and 
end(e) for its end time. For events including a message 
m, end(e) = start(e) + \m\, while for the Neighbor event 
end(e) = start(e). 

Dcast, representing a message sent with a directional an- 
tenna at direction a over an angle /3, is illustrated in Fig- 
ure [T] Receive represents message reception caused (trig- 
gered) by any incoming message, and thus a previous Beast 
and Dcast event (self-triggered). Neighbor can be thought of 
as an internal outcome of a neighbor discovery protocol (to 
be defined later). Then, traces comprising the above events 
are defined. 

Definition 3. A trace 6 is a set of events that satisfies 
what we will call the finite cut condition: for any finite t ^ 0, 
the subset {e £ 6 \ start(e) < t} is finite. 

We denote the set of all traces by O. 

The finite cut condition ensures that during any finite 
interval of time only a finite number of events occurs; as 
settings comprise a finite number of nodes, this is natural to 
demand. 

2.4 Setting-Feasible Traces 

Feasibility with respect to a setting S is a set of conditions 
ensuring a proper causal and time relation between send and 
receive events. 



Definition 4. A trace 9 € is feasible with respect to 
a setting S = (V, loc, type, link), if the following conditions 
are satisfied: 

1. VReceive(,4;t;B,m) G 9, 

(A,BeV) A ([t,t+\m\]::B^A) A 
(Bcast(_B; t — t AB ', tn) G 9 Y (inrange(B,a, f3, A) A 
Dcast(_B; t - t AB ; a, (3, m) G 9)) 

2. VBcast(A; t; m) 6 0, (A G V) A 

(VJ3 G V, [t + t AB ,t + t AB + \m\] :: A-^B 
Receive(B; t + t A B ; A,m) G 6) 

3. VDcast(A; t; a, (3, m) € 9, (A G V a d v ) A 

(V-B G V, (inrange(A,a,/3,B) A 
[t + tAB,t + tAB + |m|]::j4-KB) 
Receive(_B;t + tA_g; J 4,m) G 0) 

Where Y denotes logical exclusive or, t AB = dlst ^- B ' ) 
is the time of flight, and inrange(A,a, j3, B) is defined in 
Figure^ 

We denote the set of all traces feasible with respect to a 
setting S by Qs- 

Condition 1 of Definition [4] ensures that every message 
that is received was previously sent. Condition 2 ensures 
that a broadcasted message is received by all nodes enabled 
to do so by the link relation^ Condition 3 ensures that a 
Dcast-ed message is received only by the nodes in the area as 
per the Dcast transmission (see Figure[T} and only if the link 
is up. In other words, communication is causal (a receive is 
always preceded by a sent), and reliable as long as the link 
is up. Unreliability, expected and common in wireless com- 
munications, is modeled by the state of the link being down. 
Furthermore, the three conditions in Definition U introduce 
a strict time relation between events, reflecting line-of-sight 
signal propagation across the channel with a constant speed 
v. 

2.5 Protocol-Feasible Traces 

A trace is essentially a global view of the system execution. 
To describe what a node observes during a system execution, 
we use the notion of local view, primarily comprising a local 
trace composed of local events. We define these next. 

Definition 5. A local event is one of the terms: 
Bcast(f;m), Receive(t; m), Neighbor(t; B, t'), where B G V, 
rn G M, t,t' G R^o- For a local event e, start(e), end(e) are 
defined as in Definition^ 

Definition 6. A local trace is a set of local events that 
satisfies the finite cut condition. Given a node identifier 
A G V, time t > and trace 9 G 0, we calculate the local 
trace of node A at time t in trace 9, denoted 9\ A ,t, as follows: 

9\ A ,t ={Bcast(ti;ra) | ti < t A 

Bcast(A;ti;m) G 9} U (1) 
{Receive(ti; in) \ ti + \m\ <( A 

35 GV, Receive^; tr, B, m) € 9} U (2) 
{Neighbor(ti;S,t') | ti < t A 

Neighbor(A;ti;S,t') 6 9} (3) 



2 Note that time is "measured" at the receiver, not the sender. 



We call #|a,oo a complete local trace of A in 9 and denote 
it shortly 9\ A . 

Note that the Receive local event, contrary to its global 
counterpart, does not include the information about the 
sender of the message. This is of central importance, captur- 
ing the earlier mentioned fundamental challenge in securing 
ND in wireless networks: the receiver of a message cannot 
reliably identify who the sender is. This is because identifiers 
included in a message can be forged, and even cryptography 
can at most allow to identify the creator of a message, not 
the sender. 

We identify two variants of the local view notion: an T- 
local view, as the basis for defining the class of time-based 
protocols, and an TL-local view, used to define the class of 
time- and location-based protocols. 

Definition 7. Given a trace 9, an T-local view of node 
A at time t in 9 is a tuple {A, t, 9\ A ,t); we denote it ^Ha,*- 

Definition 8. Given a trace 9 and a setting S , an 
TL-local view of node A at time t in trace 9 is a tuple 
{A, t, loc(A), 9\ Ai t); we denote it 9\\s,A,t, or 9\\ At t is setting 
S is clear from the context. 

Note that S is part of Definition [8] as the location of node 
A is defined only within a specific setting. With the notion 
of local view(s) in hand, we can proceed with the definition 
of a protocol model. This definition captures the property 
of protocols essential to our investigation: the fact that pro- 
tocol behavior depends exclusively on the local view of the 
node executing the protocol. 

Definition 9. An T(TL)-protocol model V is a function 
which given a T(TL)-local view 9\\ A ^t, determines a finite, 
non-empty set of actions; an action is one of the terms: e, 
Bcast(?n) or Neighbor^, t), where m G M, A G V, t G R^o- 

The interpretation of Beast and Neighbor actions is nat- 
ural. The e action means that the node does not execute 
an event, with the exception of possible Receive event(s). 
Note that modeling the protocol output (i.e., the protocol 
model codomain) as a family of sets of actions allows for 
non-deterministic protocols. 

Definition 10. A trace 9 G 0s is feasible with respect 
to a T- or TL-protocol model V , if the following conditions 
are satisfied: 

1. VAeV COI , VBcast(yl; t; m) G 9, Bcast(m) G V(9\\ A ,t) 

2. VA G V COI , VNeighbor(A;t;B,t') G 9, 

Neighbor(B, t') G V(0\\ A ,t) 

3. VA G V cor , Vi G X A , e G V{6\\ A>t ), where 

X A = R^o \ start(9\ A n E), 

E = {Bcast(f; m) | m € M,t € R^o} U 

{Neighbor^; B, t') \ B G V, t, t' G R^o} 

We denote the set of all traces feasible with respect to a 
setting S and T(TL) -protocol model V by ®s,v- 

Conditions 1 and 2 of Definition 1101 ensure that Beast of 
Neighbor actions taken by a node are allowed by the protocol. 
Condition 3, with X A the set of all points in time at which 
no event other than Receive happens at node A, ensures that 
the protocol allows for a node to not perform an action. 



2.6 Adversary-Feasible Traces 

For the purpose of the impossibility result, we consider 
first a relatively limited adversary, that is only capable of 
relaying messages. We denote this model as -4A rolay , with 
the A ro i ay > parameter the minimum relaying delay intro- 
duced by an adversarial node; this delay is due to processing 
exclusively, it does not include any propagation time. 

Definition 11. A trace 9 £ Qs,v is feasible with respect 
to an adversary model AA rBlay if: 

1. VBcast(A; t; m) £ 9, A £ V adv 

2. \/Dcast(A;t;a,(3,m) £9, 3Be Vkdv, 
36 > A rclay + dls l[ A d f , 3C£V, 

Receive(B; t - 5; C, m) £ 9 

We denote the set of all traces feasible with respect to a 
setting S , T-protocol model V , and adversary model -4A relay 
by e 5 ,P,^ Arolay . 

Condition 1 of Definition [11] is only to facilitate the pre- 
sentation of proofs in subsequent sections, stating that ad- 
versarial nodes do not use the Beast primitive. Condition 2 
states that every message sent by an adversarial node is nec- 
essarily a replay of a message m that either this or another 
adversarial node received. In addition, the delay between re- 
ceiving m and re-sending it, or more precisely the difference 
between the start times of the corresponding events, needs 
to be at least A re i ay , plus the propagation delay across the 
adversary channel in case another adversarial node received 
the relayed message. 

From AA rolay , we derive two weaker adversary models, 
•^A relay an d ^A rclay i defined next. Model -4 Arolay restricts 
adversarial nodes to broadcasts, while *4A rolay precludes ad- 
versarial nodes from utilizing an adversary channel. As it 
will become clear in Section [3] all these adversary models 
are valuable for the impossibility result, and their weakness 
strengthens the impossibility result. 

Definition 12. A trace 9 £ &s,v is feasible with respect 
to an adversary model A'& ittl if: 

1. VDcast(A; t; a, (3,m) £9, A f V adv 

2. VBcast(A; t; m) £ 9 £ 9, 3B £ V adv , 
36 > A relay + 3C £ V, 

Receive(B; t - 5;C,m) £ 9 

Definition 13. A trace 9 £ Qs,v is feasible with respect 
to an adversary model -4A rclay if 

1. VBcast(A; t; m) £9, A £ V a dv 

2. \/Dcast(A;t;a,f3,m) £9, 35^ A rc i ay , 
3C £V, Receive^; t- 6; C, m) € 6 

2.7 Neighbor Discovery Specification 

The ability to communicate directly, without the inter- 
vention or 'assistance' of relays, is expressed in our model 
by a link being up, thus the following definition: 

Definition 14. Node A is a neighbor of node B in set- 
ting S at time t, if t :: A~^B. If t :: A<-> B we will say that 
nodes A and B are neighbors at time t. 



For simplicity of presentation, we use the "t:: A— >B" no- 
tation to denote the neighbor relation, as well as the link 
relation. Having defined the neighbor relation, we are ready 
to present the formal specification of secure neighbor dis- 
covery. This definition uses a parameter: R £ R>o, the 
neighbor discovery (ND) range. Typically, R is equal to the 
nominal communication range for a given wireless medium, 
however, we use R more freely as the communication range 
for which ND inferences are drawn. 

Definition 15. A protocol model V satisfies(solves) two- 
party neighbor discovery for an adversary model A, if the 
following properties are both satisfied: 

NDl VS G E, V# G &s,V,A, VA, B £ Kor, 
Neighbor (A; t;B,t') £ 9 => t' :: B^A 

ND2VdG(0,R], \/A,B£Y,A^B, 3S £ E, 

V = Kor = {A, B} A dist(A, B) = d A R >0 ■■ A^B 
A39£Q s ,v,A, Neighbor(A; t; B, t') £ 9 

Intuitively, property NDl requires that if a node accepts 
some other correct node B as a neighbor at time t! , then B 
is actually a neighbor at that time. Property ND2 comple- 
ments NDl, assuring that the protocol offers minimal avail- 
ability: it requires that for every distance d in the desired 
ND range R, there should be at least some setting, in which 
the protocol is able to conclude that a node is a neighbor (in 
some, not all executions) ; this setting should contain exactly 
two nodes at distance d, being neighbors, and both correct. 
The "two-nodes setting" requirement clarifies why we call 
this two-party ND. The ND2 property is the least that can 
be required from a usable two-party ND protocol: indeed, 
a protocol not satisfying this property would be unable to 
conclude, for some distance(s) in the ND range, that nodes 
are neighbors. This makes the impossibility result in Sec- 
tion[3]more meaningful: impossibility with respect to a weak 
property implies impossibility for any stronger property. 

3. IMPOSSIBILITY FOR T-PROTOCOLS 

We show in this section that no time-based protocol can 
solve the two-party neighbor discovery problem as specified 
by Definition [T21 We base the proof on the fact, captured in 
Lemma [1] that it is impossible for a correct node to distin- 
guish between different settings based on an T-local view. 
The impossibility result in Theorem [l] stems from showing 
two settings which are indistinguishable by a correct node, 
one in which two nodes are neighbors and one where they 
are not. We elaborate on the assumptions and implications 
of this result in Section [6] 

We emphasize that the non-restricted form of the message 
space M encompasses all possible messages including, for 
example, time-stamps and any type of cryptography, thus 
contributing to the generality of the impossibility result. 

Lemma 1. Let V be a T-protocol model, S and S' be set- 
tings such that Vcor — K'or, an d 9 £ ©s,-p and 9' £ ©5/ 
be traces such that local traces 9\a = 9'\a for all A £ V COT . 
Then 9' is feasible with respect to T-protocol model V . 

The proof of Lemma [T] can be found in [22] , 

Theorem 1. There exists no T-protocol model that sat- 
isfies two-party neighbor discovery for the adversary model 
^A„ lay */A rolay < f. 
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(b) S b 
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Figure 2: Settings used in the impossibility result 
proof. Settings S a = ({A, B}, loc a , type a , lmk a ), 
S b = ({A,B,C},loc b ,type b ,link b ) and S c 
{{A, B,C, D} , loc c , type c , link c ). In all settings, nodes 
A and B are correct, nodes C and D are ad- 
versarial. The location functions are such that 
dist b (A, C) + dist b (B, C) + vA rday < dist a (A, B) < R and 
dist c {A,C) + dist c (D,B) + -?-dist c (C,D) + vA rday < 
dist a (A, B). The state of links does not change over 
time and is shown in the figure. The dashed arrow 
in figure (c) denotes the adversarial channel. 



Proof. To prove that under the assumptions of the the- 
orem no T-protocol model can satisfy both NDl and ND2, we 
show that any T-protocol model that satisfies ND2 cannot 
satisfy NDl. 

Take any T-protocol model V satisfying ND2. Pick some 
distance ^ vA rc i ay in the ND range. Property ND2 guar- 
antees the existence of a setting such as the one shown in 
Figure [21 a) (we denote it S a ) and the existance of a trace 
9 G Os*tAa such that NeighborM; t: B, t') e 6. As 9 

' ' relay 

is feasible with respect to setting S a , this trace has to be of 
the form: 



= {Bcast(A;U;mi) | i G I a) U 
{Receive(B;ti + A; A,rm) \ i G I A } U 
{Bcast(B; U;mi) \ i G I B } U 
{Recewe(A;U + A; B, rrn) \ i G I B } U 
{Neighbor(A;ti; B,t[) \ i G J a} U 
{Neighbor(B;t i; A,t'A \ i G Jb} 



6' ={Bcast( A; t^rm) \ i G Ia} U 

{Receive(C;ti + 5 1 ;A,m i ) | i G Ia} U 
{Dcast(C;ti +<5 2 ;0, 7T, m.j) | i £ Ia} U 
{Receive(B;t, + A; C, m.) i G /a} U 
{Bcast(B;ti;mi) | i G is} U 
{Receive(C;ti +8 3 ;B,mi) \ i G 7 S } U 
{Dcast(C;t l + S 4 ; — 7T, 7T, 7Tli ) | i G Is} U 
{ Receive^; t t + A; C, mi) | i G /s} U 
{Neighbor^; t»;B,t-) | % G Ja} U 
{Neighbor(S;ii;A,t-) | i G Js} 

where 5x = *£*!i^£l 5 2 = A - *£*!l2^i ; 5 3 = *£i!(££) 
andJ 4 ^ A~ ^Sj) . 

V 

It is simple to check that this trace is feasible with respect 
to setting S b . It is also feasible with respect to T-protocol 
model V: as 9\a,± = &'\ A ,t and = #'|s,t, this follows 

from Lemma [T] Finally, is feasible with respect to the 
adversary model -4A rola , because S2 — Si — S4 — £3 ^ A ro i ay . 
Therefore 9' belongs to 9 S i p A and together with S b 

' ' A rclay 

forms the counterexample that we were looking for: A con- 
cludes B is a neighbor whereas it is not. Thus, T-protocol 
model V does not satisfy NDl. As V was chosen arbitrarily, 
this concludes the proof. □ 

We can use the same technique (using settings S a and S c , 
illustrated in Figure [5| to prove a corresponding theorem for 
the adversary model »4A rolay : 

Theorem 2. There exists no T-protocol model that sat- 
isfies two-party neighbor discovery for the adversary model 



if ^ relay ^ 



4. T-PROTOCOL SOLVING ND 

Theorem[T]considers adversarial nodes that relay messages 
with a delay smaller than S . I n this section we demonstrate 
a specific T-protocol (we denote it as V T ), which satisfies ND 
(Definition I15[) if the minimum relaying delay incurred by 
adversarial nodes is greater than — (Theorem [3] the proof 
can be found in [22]). 

Protocol. 

Informally, the V J protocol requires nodes to transmit 
authenticated messages containing a time-stamp set at the 
time of sending. Upon receipt of such a message, a receiver 
checks its "freshness" by verifying that the message time- 
stamp is within a threshold of the receiver's current time. 
If so, it accepts the message creator as a neighbor. Note 
that this protocol is essentially the temporal packet leash 
proposed by Hu, Perrig and Johnson in [13] . 



where A = — ^ A ' B ^ , U,t'i G R^o and Ia,Ib,Ja,Jb are 
pairwise disjoint index sets with J a 7^ (all the other index 
sets can be empty). 

In setting S b , shown in figure [21b), we have R^o :: B^A. 
Consider the following trace 9', which is is essentially the 
same as 9, but for node C relaying all the communication 
between nodes A and B: 



Message Space. 

We specify the message space relevant to this particular 
T-protocol to be: 

{autru(t)}Aev,ieR >0 £ M 

with authA(2:) denoting that the content of message x is 
authenticated by node A. We do not dwell on which cryp- 



tographic primitive (e.g., digital signature or message au- 
thentication code) is used to this end. We call the message 
auth a(*) a beacon message, and t the beacon-time. 

Feasibility. 

Below we define feasibility with respect to protocol V T 
described informally above[j 

Definition 16. A trace 9 G 65 is feasible with respect 
to P T , if the following conditions are satisfied: 

1. MA 6 Vcot, VBcast(A;ti;auth s (i)) G 9, 

(B = A) A (i = ti) 

2. VA G Kor, VNeighbor( J 4; t ;B,ti)<E 9, 3C G V, 

(Receive( J 4;fi; C, auths(t)) G #) A (ti - t «S S) A 
(t a > end(Rece\ve(A;t 1 ;C,auth B (t)))) 

Condition 1 ensures that a correct node only broadcasts 
beacon messages that are authenticated by itself and that 
have the beacon-time set to the start of the beacon sending 
time. Recall that correct nodes have synchronized clocks, 
otherwise they cannot be considered correct. Condition 2 
ensures that a correct A accepts B as a neighbor only after 
it receives and deems fresh a beacon generated by B. 

Adversary Model. 

Towards proving that V J solves the ND problem, we need 
to develop a stronger than *4A rolay adversary model. This 
is necessary, as proving that a protocol is secure against a 
weak adversary would be of little value. The new adversary 
model, , allows for not only message relay but also 

for generation and transmission of any message, as long as 
the employed cryptosystem is not broken (this approach is 
compliant with the classical Dolev-Yao model [6]). 

Definition 17. A trace 9 G Os,v T is feasible with respect 
to an adversary model »4A rclay */• 

1. VBcast(A;t;m) G 6, A <£ Kdv 

2. VAeKdv, VDcast(A; ti; a, j3, auths(t)) G 9, 

(B g Vkdv) V (3C G Kdv, 35 > A rolay + fe ^; A) , 
3D G V, Receive(C; ii - 8; D, auths(i)) G 9) " 

Condition 1 simplifies the presentation mandating that 
adversarial nodes do not use the Beast primitive. Nonethe- 
less, this is not a limitation because Bcast(m) is equivalent 
to Dcast(0, 2-7T, m), by which we mean that it triggers ex- 
actly the same Receive(m) events. Condition 2 ensures that 
an adversarial node is allowed to send any message as long 
as it is authenticated by an adversarial node (itself or other). 
This implies that adversarial nodes can share cryptographic 
keys or any material used for authentication. Furthermore, 
Condition 2 reflects that the adversary cannot forge authen- 
ticated messages: it ensures that a message sent by an ad- 
versarial node, and authenticated by a correct node must 
be a relayed one. In other words, some (possibly the same) 
adversarial node must have received this message earlier, at 
least A re i ay plus the propagation time between the two nodes 
(over the adversarial channel). 

Theorem 3. // A ro i ay ^ ^ then V T satisfies neighbor 
discovery for the adversary model ^A relay • 

3 For clarity and brevity, we define this "from scratch," rather 
than specifying an T-protocol mod el according to Defini- 
tion [9] and relying on Definition [10] for feasibility. 



5. TL-PROTOCOL SOLVING ND 

Time- and location-based protocols, compared to the T- 
protocol class, augment nodes with location awareness. Be- 
cause nodes are more powerful, we can show that if v = v a d v , 
an TL-protocol we denote as V GT solves ND regardless of 
how small A re i ay is. The reason the impossibility theorem 
does not apply can be traced back to Lemma [T] even given 
identical local traces, correct nodes can resort to location 
information to distinguish setting S a from S b . The proof is 
similar to that of the T-protocol case, found in [22] . 

Protocol. 

Informally, the V GT protocol requires that nodes send au- 
thenticated messages containing a time-stamp set at the 
time of sending and their own location. Upon receipt of 
such a message m sent from a node B, the receiver A calcu- 
lates two estimates of the A, B distance. The first estimate 
is based on the difference of its own clock at reception time 
(the start of reception) and m's time-stamp. The second 
one is calculated with the help of the location in m and 
A's location. If the two distance estimates are equal, and 
m is authenticated, A accepts B as a neighbor. Note that 
this protocol is a combination between the temporal and the 
geographical packet leash [13J . 

Message Space. 

We specify the message space as follows: 

{auth A {t,l)} AeY ,tem >0 ,iev. 2 Q M 

We call the message autY\A(t,l) a beacon message, t the 
beacon-time of the message, and I the beacon-location of the 
message. 

Feasibility. 

The following defines feasibility with respect to V GT . 

Definition 18. A trace 9 G O5 is feasible with respect 
to V^ 1 , if the following conditions are satisfied: 

1. VA G Kor, VBcast(^;ii;auth B (t,0) G 9, 

B = A A t = U A I = loc(A) 

2. VA G Kor, VNeighbor(A; t ;B,ti)<E 9, 3C G V, 

Received; ty, C, auth B (t, I)) G 9 A ti-t = d2(ioc v (A) '' ) 
A to > end(Receive(yl; ti; C, auths(t, /))) 

Adversary Model. 

The adversary model, denoted ^A^ ela , is almost identical 
to ^A rolay but f° r the format of beacon messages. 

Definition 19. A trace 9 G &s.v GT is feasible with re- 
spect to the adversary model ^A^ olay */•' 

1. VBcast(^l; t; m) £9, A £ Kdv 

2. VA G Kdv, VDcast(A; ti; a, /3, auths(t, I)) G 9, 

(B G Kdv) V (3C G Kdv, 35 ^ A rclay + , 
3D G V, Receive(C; ii - S; D, auth s (t, I)) gV) 

Theorem 4. // v = v adv and A ro i ay > then V GJ satis- 
fies neighbor discovery for the adversary model . 



6. DISCUSSION 
6.1 Implications 

The impossibility result points to a fundamental limita- 
tion in securing communication ND with T-protocols. Any 
T-protocol, regardless of the node clock accuracy or pro- 
cessing power, can be attacked by an adversary capable of 
relaying messages with a small enough delay. As we dis- 
cuss in the next paragraph, the space for attacks can seem 
relatively small if v = v a d v - Nevertheless, it can be large 
enough to constitute a realistic threat, depending essentially 
on three factors. One of these is very specific to the oper- 
ational environment, and deals with the following question: 
How probable is it to have no link between two nodes at 
distance d? This is because for every non-existing link the 
adversary can set up a short-range relay attack. 

For the two other factors, we turn to theorems [T] and [3] 
These show that for an attack to be successful, the relay- 
ing delay of the adversary has to be below the threshold 
^. This implies the second factor - the expected threat 
level. If the system designer aims at protecting the network 
only against relatively limited, slow-relaying adversaries, T- 
protocols can provide sufficient security (details in Section 
16. 3p . The third factor is the ND range R. In some cases, the 
system designer might be able to select a low R: this forces 
the adversary to relay messages faster, but it also precludes 
the discovery of nodes that are directly reachable but farther 
than R. Nonetheless, R needs to be typically equal to the 
communication range. Thus, for some wireless technologies, 
ND using T-protocols will be more vulnerable than for oth- 
ers. For example, if we can consider relatively short-range 
802.11 radios, communicating typically at 100 to 150m, the 
threshold is 10 ° m ~ 333ns, still significantly above the fea- 
sible 40ns relaying delay reported by [2"4"] . For WiMAX, 
with a range up to 50km, the threshold is around 166/is 
leaving much more space for attacks. In fact, as R — > do, 
T-protocols become useless for securing ND, if obstacles can 
be present in the environment. 

In short, T-protocols need to be used with a lot of caution 
to secure ND. Unless there are no obstacles in the environ- 
ment, the ND range is low, or only slow- relaying adversaries 
are of concern, T-protocols cannot provide reliable security, 
as they are able to prevent only wormholes ranging beyond 
R. For generally applicable secure ND it is necessary to go 
beyond the T-protocol class. As Theorem [4] shows, one pos- 
sibility is the TL-class with protocols such as V GT which can 
secure ND regardless of A rc i ay or R. Unfortunately, V QJ is 
more demanding on the nodes (location awareness), and it 
requires line-of-sight communication (Section 16.31) . 

Simple Quantitative Results. 

Theorem [T] and Theorem [2] show that it is impossible to 
secure ND even if the adversary cannot utilize an adversarial 
channel for the communication of the nodes it controls (but 
in that case it uses directional antennas). However, quan- 
titatively, the relative magnitude of v and v a d v , the signal 
propagation velocity across the system wireless channel and 
the adversary channel, respectively, determine the impact of 
the adversary. 

To illustrate this, we consider first the A'i , adver- 

7 ^relay 

sary and the S b setting in Figure [2] with A,B correct and 
C adversarial nodes, for which dist b (A,C) + dist b (B,C) + 



vA r eiay ^ R- These conditions are necessary for the attack 
to be possible. The last inequality yields, when combined 
with the triangle inequality dist b (A,B) ^ dist b (A,C) + 
dist b (B,C), that dist b (A,B) < R- vA rdaj . Note that the 
relative locations and thus the distance of A and B are not 
controlled by the adversary. This implies that the adversary 
can violate NDl, only if the distance between A and B is 
smaller than R — vA re i ay and C is conveniently located. 

On the other hand, for A'& T t and setting <S C in Figure(2] 
dist c (A, C) + dist c (D, B) + ^dist c (C, D) + vA rclay < R. 
Utilizing this and the triangular inequality twice, that is, 
dist c {A,B) sC dist c (A,C) + dist c (C,D) + dist c (D,B), we 
get dist c (A, B) ^ ^^(R — vA rc i ay ). If the last inequality 
holds, the adversary can succeed with the use of an adver- 
sarial channel and two nodes C, D. It is interesting that the 
bound on dist c (A, B) is multiplied by a factor of . In 
other words, if v <C v a d v , as it holds, for example, for ul- 
trasound and radio frequency velocities [25], the use of the 
adversarial channel magnifies the impact on ND: the ad- 
versary can mislead nodes at remote locations (thus unable 
to communicate directly) that they are neighbors. Thus, 
whenever possible, the system designer should aim at hav- 
ing v = c, which she can expect to be the choice of the 
adversary. This is further strengthened by the fact that the 
■p GT can be proven correct only if v = v a d v - 

Relation among Adversary Models. 

Intuitively, adversary A2 is stronger than adversary Ai, 
if Ai can do everything that A\ can. Formally, this is ex- 
pressed as follows: 

Definition 20. Adversary model Ai is weake^than ad- 
versary model A2 (Ai < Ai), if Qs,v,Ax C Qs,v,a 2 f° r 
every setting S and every protocol model V . 

Given this definition, we can order the considered adver- 
sary models: 

&' -> 5 

A" < ^A relay A-\ rolay 

^relay 

The relation among adversary models is interesting be- 
cause one can intuitively expect that if a protocol V can 
solve ND for A\, it can also solve ND for a weaker adver- 
sary model AlflThus, our impossibility result, proven for 
the minimal elements, and the proof of correctness of pro- 
tocol P T for the maximal element, hold for all adversary 
models considered in this paper. This clarifies that A re i ay 
is the most significant factor affecting the security of ND, 
as opposed to the ability to use directional antennas, the 
adversary channel, or to generate arbitrary messages (in a 
Dolev-Yao fashion). 

4 non-strictly 

5 We use a different notation, ^A rolay ^ AA Ii!lay , as the 
relation does not hold: in one case the adversarial nodes 
can only use Beast and in the other only Dcast. However, 
Bcast(m) is equivalent to a Dcast(0, 2n, m). Accordingly, we 
can define a renaming function p, and show that the ^ rela- 
tion holds up to renaming: p(G$ v A' ) Q G>s.v,A A 

' ' A rclay ' relay 

6 This can be proven under the assumption that the adver- 
sary model allows the adversarial nodes to remain silent, 
which is the case for all the adversary models that we con- 
sider. There exist adversarial models for which this does not 
hold, but they are of no practical importance. 



6.2 Modeling assumptions 

Our ND specification and assumptions about wireless com- 
munication, protocols, and adversarial behavior all aim at 
a simple model. Nonetheless, these assumptions do not im- 
pair the generality and meaningfulness of our results. The 
discussion below establishes this mostly with respect to the 
impossibility result, as it is easy to see that most of these 
simplifying assumptions do not affect the ND protocols we 
model and prove correct. 

Protocol Model. 

Recall that our definition of a protocol model only requires 
that the behavior of the protocol is determined by the local 
view. This is much broader than the typical approach, in 
which a protocol is modeled by a Turing machine. But as our 
definition is an over-approximation, our impossibility result 
remains valid for more realistic protocol models. 

Settings and Traces. 

We emphasize that the general forms of settings (correct 
nodes being able to communicate at arbitrary distances), 
and Medium Access Control modeling (Definition 2] not pro- 
hibiting a correct node from sending and receiving an arbi- 
trary number of messages at the same time) is not essential 
to the impossibility result. It is possible to add additional 
constraints to make the model more realistic, but this would 
impair generality and clarity. 

Events. 

We model correct nodes equipped with omnidirectional 
antennas. We can extend our model so that correct nodes 
use directional antennas, but from the structure of the im- 
possibility result proof it should be clear that this would not 
lift the impossibility. Mounting a successful relay attack, 
however, would require adversarial node(s) to be located on 
or close to the line connecting A and B. 

We model success and failure (in fact, complete unaware- 
ness of failure) in receiving a message, but not the ability of a 
receiver to detect a transmission (wireless medium activity) 
without successfully decoding the message. An extension 
of our model to include this is straightforward and would 
not affect the impossibility result. Intuitively, if nodes were 
able to solve the ND problem if they cannot decode all the 
messages they receive, then they would also be able to solve 
ND when all messages are received correctly. We emphasize 
that the above argument relies on the assumption that nodes 
cannot control their wireless transmission power. However, 
if nodes had this ability, the notion of neighborhood would 
change, and our model would need to change as well. We 
will investigate this in future work. 

ND Specification. 

In light of the impossibility result, one could consider an 
alternative, less restrictive neighbor discovery specification, 
notably, the already mentioned multi-party ND that requires 
the participation of more than two nodes to securely con- 
clude on a neighbor relation. This is an interesting direction 
resonating with emergent properties of ad-hoc networks [9]. 
Technically, this ND specification would differ in the ND2 
property, where the requirement that the protocol needs to 
work for some two-node setting would be changed to an ar- 
bitrary setting. As discuss in Section [7J there exist proto- 



cols in the literature related to our notion of multi-party 
ND, but they are effective under weaker adversary models. 
Whether some other T-protocol can solve multi-party ND 
in our model is an open question we plan to investigate in 
future work. 

Line-of-sight Propagation. 

DefinitionUimplies signal propagation over a straight line. 
In reality, this is not always the two nodes could 

communicate even if there is no line-of-sight between them, 
and the signal is, for example, reflected. We could include 
this phenomenon in our model, for example, by introducing 
an additional link-specific delay to the propagation time. 
This would not affect any of our results. However, from a 
practical point of view, for such additionally delayed links, 
V T and especially V GT could reject valid neighbor relations. 
This problem relates to the discussion on inaccuracies in 
time and location information these protocols need to cope 
with in practice, in Section \6. 31 

6.3 Protocol Design 

We discuss some of the more important aspects for actual 
deployment of secure neighbor discovery protocols. First, 
we consider one side of ND: A discovers if B is a neighbor. 
However, with asymmetric links, a dual problem exists: A 
discovers if it is a neighbor to B. The protocols we con- 
sider are not designed to solve this problem, but we note 
that challenge-response schemes, such as distance bounding 
protocols [SJ, can. 

Moreover, we consider ND when both nodes running the 
ND protocol are correct. Removing this assumption implies 
that, for example, the V T protocol does not satisfy the ND 
specification: consider an adversarial node B that generates 
a message time-stamped in the future, passes this message 
to another adversarial node C, which in turn passes it to a 
correct node A that falsely accepts (a perhaps very remote) 
B as a neighbor. In Section [7] two protocols that solve this 
problem under a specific assumption are discussed. 

As mobility was not included in our model, the protocols 
we analyze can be considered secure as long as the node 
movement during the protocol execution is negligible. This 
is not a strong requirement, if we compare the typical speed 
at which nodes move (below the speed of sound in almost 
all cases) with the RF propagation speed. However, no- 
tably because some computational operations may be time- 
consuming, we plan to include mobility in our model in the 
future. 

All the adversary models in this paper capture the tech- 
nically feasible yet non-trivial ability to send and receive 
messages at the same time. For a weaker security result, 
one could assume that an adversarial node must receive the 
whole message before it can relay it. For such an adversary, 
a protocol whose every messages duration is longer than — 
would solve ND (by Theorem [3}. 

Similarly to the vision of the authors of [13], V T and V GT 
functionality could be integrated into every packet as a leash. 
Alternatively, ND beacons can be broadcasted periodically, 
with the neighbor relation interpolated in between received 
beacons. The former solution provides better security at the 
expense of transmission overhead, whereas the latter might 
offer the adversary a window of opportunity to launch an 
attack if and only if the state of neighbor relation changes 
between two beacon broadcasts. 



Imperfect Clocks and Localization. 

Up to this point, we assumed that correct nodes have accu- 
rate time and location information. However, inaccuracies 
are possible in reality: (i) time inaccuracies due to clock 
drifts, failure to synchronize clocks, coarse-grained clocks, 
as well as the difficulty to calculate message reception time, 
and (ii) location inaccuracies due to unavailability of infras- 
tructure (e.g., Global Positioning System (GPS), or base 
stations) providing location information, malicious disrup- 
tions of infrastructure, and granularity and capabilities of 
self-localization sensors. Non-line-of-sight propagation can 
be perceived as another source of time inaccuracy. As the 
P T and 'P GT protocols rely on distance estimates based on 
time and location measurements, their effectiveness can be 
affected by inaccuracies. 

We model the effect of time inaccuracy by a parameter 
S, such that measured delay = real delay + d, with \d\ ^ 
S. Similarly, for location information, measured distance = 
real distance + sv, with |s| ^ r. We express the inaccu- 
racy term sv as a function of delay (time), so that it is 
straightforward to consider the cumulative impact for the 
P GJ protocol. 

First, for V T , two correct neighbors at a distance larger 
than R — v5 may fail to conclude they are neighbors, thus 
violating ND2. This can be addressed if R' — R + vS is 
used in place of the ND range R. But then, if A ro i ay < 
^ + S, or A rc i a y < NDl would be violated, that is, the 
adversary would mount a successful attack. In other words, 
time inaccuracies essentially decrease the ND security. 

To cope with inaccuracies, the V GT protocol presented in 
Section [5] needs to be modified slightly: The check for equal- 
ity of the time- and location-based estimates of distance 
should be replaced with approximate equality; otherwise ND2 
will be violated. More precisely, these two estimates should 
be within 8 + r of each other. But, again, ensuring practi- 
cality decreases security: if A re iay < 2(<$ + t), the adversary 
could violate NDl. 

More generally, for T-protocols, no additional considera- 
tion with respect to the impossibility results is necessary, 
as R ^ R'. But for TL-protocols, the inaccuracies in time 
and location could be viewed as an impossibility factor: for 
given S, t, there is no protocol solving the ND problem if 
the adversary can relay with delay Aroiay < 2(5 + r). We 
emphasize however that the nature of these impossibility re- 
sults differs, as it is not fundamental, as in the T-protocol 
case, but can be mitigated by introducing more sophisti- 
cated technology and obtaining accurate time and location, 
as long as line-of-sight propagation is assumed. 

Finally, we note that accurate time and location informa- 
tion are not possible to achieve without specialized hard- 
ware. In addition, tight synchronization is nontrivial, but 
challenge-response protocols that do not need synchronized 
clocks can overcome this problem. 

7. RELATED WORK 

The prevalent wormhole prevention mechanism is based 
on distance bounding, which was first proposed by Brands 
and Chaum in [2] to thwart a relay attack between two cor- 
rect nodes, also termed mafia fraud. Essentially, distance 
bounding estimates the distance between two nodes, with 
the guarantee that it is not smaller from their real distance. 
Subsequent proposals contributed in aspects such as mutual 



authentication [27], efficiency [TO], and resistance to exe- 
cution of the protocol with a colluding group of adversarial 
nodes [3] [25- in the latter, the attack termed terrorist fraud 
is thwarted under the assumption that adversarial nodes do 
not expose their private cryptographic material; if not, one 
adversarial node can undetectably impersonate another and 
successfully stage a terrorist fraud. Authenticated ranging, 
proposed by Capkun and Hubaux in 28 , lifts the technically 
non-trivial requirement of rapid response (present in all the 
above protocols), at the expense of not being resilient to a 
distance fraud, when the protocol is executed with a single, 
non-colluding adversarial node [3]. This group of protocols, 
in which temporal packet leashes [13] and TrueLink [8] (both 
not resistent to the distance fraud) can be included, was the 
main inspiration for our investigation that led to a general 
impossibility result. 

Another group of ND mechanisms is based on location, 
with geographical packet leashes [13] the primary represen- 
tative. The impossibility result does not apply here, as T- 
protocols are not location-aware. Indeed, we prove that V GT , 
an TL-protocol, can solve ND. We emphasize that V GT is dif- 
ferent from geographical packet leashes, because it requires 
clock synchronization as tight as that for temporal packet 
leashes. Essentially, V GT is a combination of temporal and 
geographical leashes. Upon careful inspection of the litera- 
ture, there exist prior passages seemingly cluing or relating 
to this idea: the introduction of Q2] or the discussion of 
combining a so-called node-centric localization scheme with 
distance bounding techniques [2H] . Nonetheless, to the best 
of our knowledge, we are the first to explicitly point out the 
advantages, over other approaches for secure ND, of combin- 
ing location information with tight temporal bounds. We 
note that the authors of [13] mention the obstacle problem, 
but only in the case of geographical packet leashes. However, 
the solution that they propose - having a radio propagation 
model at every node - is not applicable in most scenarios. 

The approach of Poovendran and Lazos [21] can be seen 
as an extension of a location based scheme: a few trusted 
nodes (guards) are aware of their location, transmit it pe- 
riodically in beacons, and all other nodes determine their 
neighbors based on whether they received sufficiently many 
common beacons. This scheme is a multi-party ND protocol 
and thus our impossibility result does not apply. Unfortu- 
nately, from the perspective of our approach, [2T] has some 
serious drawbacks. Most notably, it relies on the "no ob- 
structions" assumption - nodes that are close but cannot 
communicate can be tricked into establishing a neighbor re- 
lation. In addition, adversarial nodes are rather limited in 
their behavior: one can see an attack against this scheme, 
in particular Claim 2, when adversarial nodes are allowed to 
selectively relay beacon messages. 

A scheme using directional antennas was proposed by Hu 
and Evans in [12], with the interesting property that it can 
be used as a two-party ND protocol, or as a multi-party ND 
protocol with additional nodes serving as verifiers of neigh- 
bor relations. In the two-party operation the scheme has se- 
curity weaknesses that the multi-party version is called upon 
to remedy. In the latter case, our impossibility result does 
not apply directly. Nonetheless, significant security prob- 
lems remain, with the scheme oblivious to obstacles and the 
adversary model limited. As the authors point out, a suc- 
cessful attack can be mounted if more than two adversarial 
nodes collaborate. Recall that in our proofs we allow for 



arbitrary node collaboration (or collusion). 

[14] proposes to collect local, fc-hop connectivity informa- 
tion obtained with a non-secure ND mechanism, and to in- 
spect it for forbidden structures: subgraphs that are likely 
to exist only if a wormhole is present in the vicinity. The 
exchange of connectivity information makes it a multi-party 
protocol. Although the simulations presented in [14] show a 
very good detection rate, as in [21], the considered adversary 
is quite naive: a single non-selective long-range wormhole. 

A different approach to secure neighbor discovery could 
exploit radio frequency fingerprinting (RFF) [4]: devices 
from the same production line are not identical, but rather 
the signals each one emits may have unique identifiable fea- 
tures. If these signals can be identified upon reception of 
a message, it becomes impossible for an adversarial node 
to relay any message undetected. If such a scheme were in 
place, our impossibility result would not apply. The reason 
is that impossibility hinges on the very fact that a correct 
node cannot identify how a message was received. This es- 
sentially allows the adversary to relay wireless transmissions 
(messages). However, it is questionable if RFF can be used 
to secure ND. Investigations with different types of devices, 
e.g., [23] or [26], show classification success rate around 
90% in laboratory conditions. At the same time, findings 
such as "... radios were found to have fingerprints that were 
virtually indistinguishable from each other, making the iden- 
tification process more difficult, if not impossible..." [7] clue 
on unresolved limitations. 

The wormhole attack, in its symptoms, bears similarity to 
two other fundamental and hard to detect attacks. On one 
hand, a wormhole end can be perceived as a Sybil node, with 
messages tied to different identities being transmitted by a 
single node. Hence, seemingly, a Sybil node detection mech- 
anism Q~7] could be used to thwart relay attacks. However, 
a wormhole can selectively relay the messages of a single 
node, and still be effective (e.g. Figure [5] setting S c ). On 
the other hand, as in the node replication attack, messages 
tied to a single identity are transmitted by more than one 
node. However, node replication is harder to detect than 
a wormhole attack: schemes that address node replication 
[201 [5] focus on probabilistically detecting replicas located 
in remote parts of the network and require that nodes are 
location-aware. Obviously, a long-range wormhole can be 
easily (and deterministically) prevented using geographical 
packet leashes. 

A large body of work on formal reasoning on crypto- 
graphic protocols exists, yet the classical cryptographic pro- 
tocols live in the Internet: thus these methods are agnostic 
about the characteristics of the communication medium, es- 
pecially a wireless one. Recently, there has been a rising 
interest in formalizing analysis of security protocols in wire- 
less networks. The problem of distance bounding has been 
treated formally in [TS] , whereas other works were concerned 
with routing |16l [TJ 1181 130] or local area networking [11] , 
These works are concerned with different problems and their 
approaches are not amenable to reason about secure neigh- 
bor discovery. 

8. CONCLUSIONS 

We investigate the problem of secure neighbor discovery 
(ND) in wireless networks. We build a formal framework, 
and provide a specification of neighbor discovery or, more 
precisely, its most basic variant: two-party ND. We con- 



sider two general classes of protocols: time-based protocols 
(T-protocols) and time- and location-based protocols (TL- 
protocols). For the T-protocol class, we identify a funda- 
mental limitation governed by a threshold value depending 
on the ND range: We prove that no T-protocol can solve 
the ND problem if and only if adversarial nodes can relay 
messages faster than this threshold. This result is a use- 
ful measure of the ND security achieved by T-protocols and 
leads us to investigate other classes of protocols. 

In particular, we prove that no such limitation exists for 
the class of TL-protocols: They can solve the ND problem 
for any adversary, as long as the time and location measure- 
ments are accurate enough, and line-of-sight signal propaga- 
tion is assumed. The protocols we analyze are very simple if 
not the simplest possible to allow positive results. In future 
work, we will focus on a larger spectrum of protocols, most 
notably multi-party neighbor discovery, as well as model ad- 
ditional aspects, such as the ability of nodes of controlling 
their transmission power. 
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